Decrypting HTTPS Traffic

Hypertext Transfer Protocol over SSL (https) is pretty decent security. This is because https uses the Secure Sockets Layer (SSL) encryption scheme to pass keys between two parties over the Internet. These days, however, most of our Web servers are utilizing Transport Layer Security (TLS 1.2), which is an updated version of SSL 3.0. Therefore, we refer to TLS as SSL version 3 (SSLv3). But, SSL is not as safe as we originally thought it was. As we’ve seen with the latest KRACK attacks, it is entirely possible to decrypt a victim’s https traffic. You can read more about KRACK attacks here.

I’ll show you another way of decrypting SSL traffic using Wireshark and Google Chrome. Wireshark possesses a cool feature that allows it to decrypt SSL traffic. First let’s start by capturing some regular SSL-encrypted traffic on Wireshark, the protocol analyzer. If you don’t have Wireshark, you can download it for free here.

As you can see in the highlighted area, there is just a bunch of random characters. We can’t make much use of that since its encrypted.

However, if we navigate to Control Panel > System and Security > System, you will see the following:

Click on the “Advanced systems settings” option to open up the System Properties box. It should look like this:

Now, click on the “Environmental Variables…” box. But, before we go any further. We must create a text document. Name your text document “SSLkeylogfile.txt.” Now, go back to the Environmental Variables box and click the “New” button at the bottom pane.

Type “SSLKEYLOGFILE” in the variable name bar. Then, post the path to the SSLkeylogfile.txt file. Then click OK.

Now, let’s open Wireshark. Press Ctrl + Shift +P to open the Preferences box. Under the Protocols drop down list, click on “SSL.” Under the “(Pre)-Master-Secret log filename, you will post the path for the .txt file you just created.

Press OK. Now, let’s start capturing traffic again using Wireshark. Type the filter “http” in the filter bar. Since we’re now logging the SSL keys and exporting them into the SSLkeylogfile.txt file, Wireshark will collect these keys and decrypt the https traffic into http traffic. Open up a new Window using Google Chrome and navigate to a Web site that uses https. You should see a lot of http traffic popping up on Wireshark now. As you can see, it’s still encrypted.

But, if you click the “Decrypted SSL” tab at the bottom of the pane, the information will now be decrypted for you to see:

As you can see now, all the https traffic is decrypted. If you go back and check the SSLkeylogfile.txt file, you will see a nice surprise inside.

I would love to give credit to Jonathon McKinney. Check out his blog. He creates great content.